Access permissions management system and method
US-9680839-B2 · Jun 13, 2017 · US
Automated access, key, certificate, and credential management
US10277632B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10277632-B2 |
| Application number | US-201615250085-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 29, 2016 |
| Priority date | Dec 21, 2011 |
| Publication date | Apr 30, 2019 |
| Grant date | Apr 30, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for managing keys in a computerized system, the method comprising: determining, by an apparatus for management of keys and as a result of a requested key management operation, that a key is a shared key when information of the shared key is shared by a group of entities configured to serve a client entity for communication with the client entity or is shared by a group of entities for communication with the client entity, wherein the shared key is used for communicating over different communication paths between the group of entities and the client entity, and performing a shared key operation based on the determining. 2. The method according to claim 1 , further comprising detecting a request for the key management operation in association with the shared key, and performing the shared key operation instead of, or in addition to, the requested key management operation when the key is the shared key. 3. The method according to claim 1 , wherein the shared key operation comprises displaying information regarding the shared key. 4. The method according to claim 3 , further comprising displaying at least one of a notice that the key is or will become the shared key, an identity of at least one entity using the shared key, a number of locations of the shared key, a list of locations of the shared key, a number of trust relationships associated with the shared key, a prompt to use another key or to relocate the shared key from a shared location, information of one or more commands executed using the shared key, and information of one or more Internet Protocol (IP) addresses using the shared key. 5. The method according to claim 1 , wherein the shared key operation includes causing changes to a key in at least one entity using the shared key. 6. The method according to claim 1 , wherein the shared key operation comprises relocating the key from a shared location to another location. 7. The method according to claim 6 , where the key is relocated to a local directory from a file system serving a plurality of hosts. 8. The method according to claim 1 , wherein the shared key operation comprises preventing the requested key management operation to proceed. 9. The method according to claim 1 , wherein the shared key operation comprises at least one of removing an authorization of the key and blacklisting the key. 10. The method according to claim 1 , wherein the determining that the key is the shared key comprises determining at least one of that: the key is associated with at least two hosts, the key is associated with at least two user accounts, a host using the key is linked to a file system for storing directories of a plurality of hosts, the key is located in a shared location, and a command resulting in sharing of the key. 11. The method according to claim 1 , wherein the key comprises an authorized key or a private key stored in a shared location. 12. The method according to claim 1 , further comprising triggering a different shared key operation for different shared keys. 13. The method according to claim 1 , wherein the shared key is an asymmetric shared key that uses a different key for encryption and decryption, wherein the asymmetric shared key is used for communicating over different communication paths between the group of entities and the client entity. 14. An apparatus for management of keys, the apparatus comprising at least one processor, and memory including computer program code, wherein the memory and the computer program code are configured, with the at least one processor, to cause the apparatus to: determine, as a result of a requested key management operation, that a key is a shared key when information of the key is shared by a group of entities configured to serve a client entity for communication with the client entity or is shared by a group of entities configured to serve a client entity for communication with the client entity, wherein the shared key is used for communicating over different communication paths between the group of entities and the client entity, and cause a shared key operation based on the determination. 15. The apparatus according to claim 14 , configured to detect a request for the key management operation in association with the shared key, and cause the shared key operation instead of, or in addition to, the requested key management operation when the key is the shared key. 16. The apparatus according to claim 14 , configured to cause a display of information regarding the shared key. 17. The apparatus according to claim 16 , wherein the display comprises at least one of a notification that the key is or will become the shared key, an identity of at least one entity using the shared key, a number of locations of the shared key, a list of locations of the shared key, a number of trust relationships associated with the shared key, a prompt to use another key, a prompt to relocate the shared key from a shared location, information of one or more commands executed using the shared key, and information of one or more Internet Protocol (IP) addresses using the shared key. 18. The apparatus according to claim 14 , configured to, when the key is the shared key, cause at least one of: change to a key in at least one entity sharing information regarding the shared key, relocation of at least one key from a shared location to another location, relocation of at least one key to a local directory from a file system serving a plurality of hosts, prevention of a requested key management operation to proceed, removal of an authorization of a key, and blacklisting of a key. 19. The apparatus according to claim 14 , configured to determine that the key is the shared key is response to determination of at least one of: the key is associated with at least two hosts, the key is associated with at least two user accounts, a host using the key is linked to a file system for storing directories of a plurality of hosts, the key is located in a shared location, and a command resulting sharing of the key. 20. The apparatus according to claim 14 , configured to trigger a different shared key operation for different shared keys. 21. The apparatus according to claim 14 , wherein the shared key is an asymmetric shared key that uses a different key for encryption and decryption, wherein the asymmetric shared key is used for communicating over different communication paths between the group of entities and the client entity. 22. A key management server for a computer network, configured to: determine, as a result of a requested key management operation, that a key is a shared key when information of the key is shared by a group of entities configured to serve a client entity for communication with the client entity or is shared by a group of entities configured to serve a client entity for communication with the client entity, wherein the shared key is used for communicating over different communication paths between the group of entities and the client entity, and cause a shared key operation based on the determination.
Assignees
Inventors
Classifications
for controlling access to devices or network resources · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
involving a third party or a trusted authority · CPC title
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10277632B2 cover?
- Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitor…
- Who is the assignee on this patent?
- Ssh Communications Security Oyj
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 30 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).